GitHub Confirms 3,800 Internal Repos Exfiltrated After Employee Installed Poisoned Nx Console VS Code Extension

GitHub confirmed 3,800 internal repos — including Copilot and GitHub Actions source — were exfiltrated after a TeamPCP-poisoned Nx Console VS Code extension harvested AWS, GitHub, and Claude Code API keys.

Nx Console / VS Code MarketplaceCredential exposureDeveloper credential theft / internal repository exfiltrationGitHub internal repositories / developer workstation credential stores

What happened

Poisoned VS Code extension harvested multi-platform developer credentials; stolen GitHub credentials used to exfiltrate ~3,800 internal repositories including Copilot and GitHub Actions source

Why it matters

3,800 GitHub internal repos exfiltrated including Copilot internals and GitHub Actions workflow source; AWS, GitHub, Kubernetes, GCP/Docker, and Claude Code API keys compromised; stolen data listed for $50K on dark web forums

Missing authorization check

Action-level authorization receipts tied to the agent session identity, not just the API key — ensuring stolen credentials cannot authorize high-impact actions without a fresh human-in-the-loop confirmation through an independent channel

Would PP block it?

The primary enforcement point is the authorization receipt requirement: stolen API keys alone cannot produce a valid PP receipt because receipt issuance requires a live authority channel handshake independent of the stolen credential. This means attackers using harvested Claude Code or GitHub tokens in an agent context would fail authorization on any PP-gated action. However, PP has no visibility into VS Code extension installations, local credential stores, or native GitHub CLI operations — the theft vector itself is outside PP's enforcement boundary.

Incident analysis

Timeline and technical read

Timeline

2026-05-19
TeamPCP poisons Nx Console 18.95.0 as part of the Mini Shai-Hulud supply chain campaign; malicious version available on VS Code Marketplace for ~18 minutes, OpenVSX for ~36 minutes
2026-05-20
GitHub employee installs poisoned Nx Console extension; payload harvests credentials for GitHub (via gh CLI), AWS, Kubernetes, GCP/Docker, and Claude Code
2026-05-20
TeamPCP uses stolen GitHub credentials to exfiltrate ~3,800 internal GitHub repositories including Copilot internals and GitHub Actions workflow source
2026-05-21
GitHub detects compromise, isolates endpoint, removes malicious extension from VS Code Marketplace, begins rotating critical secrets; TeamPCP lists stolen repos on Breached forum for $50K minimum
2026-05-22
GitHub CISO Alexis Wales publishes blog post confirming Nx Console as the attack vector; GitHub links breach to TanStack npm supply-chain attack; Nx team confirms developer was compromised via stolen gh CLI credentials

Technical breakdown

The attack exploited the VS Code extension update pipeline: Nx Console 18.95.0 was poisoned by compromising the TanStack build infrastructure (itself breached in the broader Mini Shai-Hulud campaign), giving TeamPCP a trusted auto-update delivery channel into developer workstations.
The malicious extension payload targeted developer credential stores broadly — npm tokens, AWS access keys, Kubernetes configs, GCP/Docker credentials, GitHub tokens via the gh CLI, and Claude Code API keys — treating the developer workstation as a credential harvesting surface.
Stolen GitHub credentials were used to run workflows and clone repositories 'as a contributor,' bypassing GitHub's IP allowlists and authentication controls because the credentials were legitimately issued to the victim developer.
The 18-minute marketplace availability window was sufficient for real-world compromise: low download counts (28 on VS Code Marketplace, 41 on OpenVSX) still resulted in at least one GitHub employee installation — demonstrating that supply chain attacks don't require wide distribution to cause critical impact.
Harvested Claude Code API keys mean attackers can now impersonate developer agent sessions — submitting code changes, triggering CI/CD pipelines, or accessing codebases through the agentic surface with full credential legitimacy but without the credential owner's knowledge or intent.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: Credential Gate (agent session authorization, not credential possession)
Still needs: VS Code extension marketplace trust; local developer credential store security; native CLI operations outside PP-instrumented agent runtimes
Receipt required for: Any agent action using harvested credentials — repository clones, workflow triggers, deployment operations, API calls on behalf of the credential owner

PP's Credential Gate requires a signed authorization receipt at execution time, not just a valid API key. Even if TeamPCP harvested a Claude Code API key, any high-impact action attempted with that key would require a PP receipt signed through an independent authority channel that the attacker cannot replicate. PP does not prevent the initial credential theft via a malicious extension, nor does it govern GitHub CLI operations outside a PP-instrumented agent runtime.

Lessons for teams

API keys and OAuth tokens are not proof of authorization — they are proof of possession. Any system that treats credential possession as authorization is vulnerable to this exact attack pattern.
Developer workstations are now a primary attack surface for AI agent credential theft: a single poisoned extension can harvest tokens for every platform the developer uses, including AI coding agent APIs.
VS Code extension auto-updates are a trusted code execution channel that bypasses most corporate security controls; enterprises need extension pinning and integrity verification as baseline hygiene.
A short malicious availability window (18 minutes) is sufficient for critical impact — incident response must assume near-instant exploitation of supply chain poisoning events.
The same stolen credentials that compromise a human developer session also compromise all agent sessions running under those credentials — the blast radius of credential theft scales with agent automation adoption.

Related incidents and controls

Critical2026-05-11

Mini Shai-Hulud supply chain worm compromises TanStack, Mistral AI, and 170+ npm/PyPI packages via GitHub Actions cache poisoning

High2026-03-30

OpenAI Codex Vulnerability Allowed Attackers to Steal GitHub Tokens

High2026-05-08

Claude Code OAuth tokens stolen via stealthy MCP man-in-the-middle hijacking

Critical2026-05-04

Braintrust AWS breach exposes org-level AI provider API keys for all customers — OpenAI, Anthropic, Google credentials at risk

Credential Gate Immutable Audit Receipts

Start small

Put the relevant gate at this action boundary.

This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop